The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Heavy DDoS attack

Discussion in 'Security' started by MoOZ125, Nov 8, 2010.

  1. MoOZ125

    MoOZ125 Registered

    Joined:
    Nov 8, 2010
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Hi there,

    Our cPanel is under heavy DDoS attack
    Attacker sends tons of requests to to 2082 port which make cpsrvd busy and unreachable returning 500 Internal error

    Here is some cpanel access logs which indicates that:

    Code:
    12.165.252.104 - - [11/08/2010:01:18:26 -0000] "GET / HTTP/1.1" 401 0 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    65.202.152.252 - - [11/08/2010:01:18:26 -0000] "GET / HTTP/1.1" 401 0 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    184.72.232.114 - - [11/08/2010:01:18:26 -0000] "GET / HTTP/1.1" 401 0 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    118.69.192.62 - - [11/08/2010:01:18:26 -0000] "GET / HTTP/1.1" 401 0 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    187.9.219.132 - - [11/08/2010:01:18:26 -0000] "GET / HTTP/1.1" 401 0 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    81.85.205.46 - - [11/08/2010:01:18:26 -0000] "GET / HTTP/1.1" 401 0 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    81.85.205.46 - - [11/08/2010:01:18:26 -0000] "GET / HTTP/1.1" 401 0 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    81.85.205.46 - - [11/08/2010:01:18:26 -0000] "GET / HTTP/1.1" 401 0 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    190.8.32.47 - - [11/08/2010:01:18:26 -0000] "GET / HTTP/1.1" 401 0 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    89.149.254.156 - - [11/08/2010:01:18:26 -0000] "GET / HTTP/1.1" 401 0 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    212.80.37.139 - - [11/08/2010:01:18:26 -0000] "GET / HTTP/1.1" 401 0 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    206.155.80.10 - - [11/08/2010:01:18:26 -0000] "GET / HTTP/1.1" 401 0 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    81.85.205.94 - - [11/08/2010:01:18:26 -0000] "GET / HTTP/1.1" 401 0 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    98.216.233.172 - - [11/08/2010:01:18:26 -0000] "GET / HTTP/1.1" 401 0 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    195.199.199.73 - - [11/08/2010:01:18:26 -0000] "GET / HTTP/1.1" 401 0 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    81.85.205.94 - - [11/08/2010:01:18:26 -0000] "GET / HTTP/1.1" 401 0 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    81.85.205.94 - - [11/08/2010:01:18:26 -0000] "GET / HTTP/1.1" 401 0 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    12.165.252.104 - - [11/08/2010:01:18:26 -0000] "GET / HTTP/1.1" 401 0 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    217.92.46.197 - - [11/08/2010:01:18:26 -0000] "GET / HTTP/1.1" 401 0 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    189.19.13.234 - - [11/08/2010:01:18:26 -0000] "GET / HTTP/1.1" 401 0 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    97.74.126.121 - - [11/08/2010:01:18:26 -0000] "GET / HTTP/1.1" 401 0 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    69.181.18.220 - - [11/08/2010:01:18:26 -0000] "GET / HTTP/1.1" 401 0 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    12.165.252.104 - - [11/08/2010:01:18:26 -0000] "GET / HTTP/1.1" 401 0 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    12.165.252.104 - - [11/08/2010:01:18:26 -0000] "GET / HTTP/1.1" 401 0 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    12.165.252.104 - - [11/08/2010:01:18:26 -0000] "GET / HTTP/1.1" 401 0 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    12.165.252.104 - - [11/08/2010:01:18:26 -0000] "GET / HTTP/1.1" 401 0 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    190.8.32.47 - - [11/08/2010:01:18:26 -0000] "GET / HTTP/1.1" 401 0 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    218.25.99.135 - - [11/08/2010:01:18:26 -0000] "GET / HTTP/1.1" 401 0 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    192.152.45.8 - - [11/08/2010:01:18:26 -0000] "GET / HTTP/1.1" 401 0 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    200.158.72.155 - - [11/08/2010:01:18:26 -0000] "GET / HTTP/1.1" 401 0 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    24.187.175.63 - - [11/08/2010:01:18:26 -0000] "GET / HTTP/1.0" 401 0 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    71.205.108.210 - - [11/08/2010:01:18:26 -0000] "GET / HTTP/1.1" 401 0 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    67.175.220.208 - - [11/08/2010:01:18:26 -0000] "GET / HTTP/1.0" 401 0 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    212.40.108.252 - - [11/08/2010:01:18:26 -0000] "GET / HTTP/1.1" 401 0 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    203.156.212.43 - - [11/08/2010:01:18:26 -0000] "GET / HTTP/1.1" 401 0 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    209.190.54.58 - - [11/08/2010:01:18:26 -0000] "GET / HTTP/1.1" 401 0 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    202.115.12.162 - - [11/08/2010:01:18:26 -0000] "GET / HTTP/1.1" 401 0 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    12.165.252.104 - - [11/08/2010:01:18:26 -0000] "GET / HTTP/1.1" 401 0 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    12.165.252.104 - - [11/08/2010:01:18:26 -0000] "GET / HTTP/1.1" 401 0 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    12.165.252.104 - - [11/08/2010:01:18:26 -0000] "GET / HTTP/1.1" 401 0 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    12.165.252.104 - - [11/08/2010:01:18:26 -0000] "GET / HTTP/1.1" 401 0 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    12.165.252.104 - - [11/08/2010:01:18:26 -0000] "GET / HTTP/1.1" 401 0 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    210.22.128.206 - - [11/08/2010:01:18:26 -0000] "GET / HTTP/1.1" 401 0 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    189.19.13.234 - - [11/08/2010:01:18:26 -0000] "GET / HTTP/1.1" 401 0 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    184.72.232.114 - - [11/08/2010:01:18:26 -0000] "GET / HTTP/1.1" 401 0 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    207.44.196.45 - - [11/08/2010:01:18:26 -0000] "GET / HTTP/1.1" 401 0 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    69.181.18.220 - - [11/08/2010:01:18:26 -0000] "GET / HTTP/1.1" 401 0 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    173.204.85.10 - - [11/08/2010:01:18:26 -0000] "GET / HTTP/1.1" 401 0 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    81.85.205.94 - - [11/08/2010:01:18:26 -0000] "GET / HTTP/1.1" 401 0 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    195.199.199.73 - - [11/08/2010:01:18:26 -0000] "GET / HTTP/1.1" 401 0 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    195.62.115.62 - - [11/08/2010:01:18:26 -0000] "GET / HTTP/1.1" 401 0 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    98.194.187.42 - - [11/08/2010:01:18:26 -0000] "GET / HTTP/1.1" 401 0 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    71.205.108.210 - - [11/08/2010:01:18:26 -0000] "GET / HTTP/1.1" 401 0 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    87.106.249.81 - - [11/08/2010:01:18:26 -0000] "GET / HTTP/1.1" 401 0 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    109.68.186.218 - - [11/08/2010:01:18:26 -0000] "GET / HTTP/1.1" 401 0 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    61.180.188.133 - - [11/08/2010:01:18:26 -0000] "GET / HTTP/1.1" 401 0 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    173.203.243.138 - - [11/08/2010:01:18:26 -0000] "GET / HTTP/1.1" 401 0 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    189.19.13.234 - - [11/08/2010:01:18:26 -0000] "GET / HTTP/1.1" 401 0 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    202.28.66.115 - - [11/08/2010:01:18:27 -0000] "GET / HTTP/1.1" 401 0 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    195.62.115.62 - - [11/08/2010:01:18:27 -0000] "GET / HTTP/1.1" 401 0 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    190.228.67.170 - - [11/08/2010:01:18:27 -0000] "GET / HTTP/1.1" 401 0 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    79.142.55.199 - - [11/08/2010:01:18:27 -0000] "GET / HTTP/1.1" 401 0 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    218.29.234.50 - - [11/08/2010:01:18:27 -0000] "GET / HTTP/1.1" 401 0 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    212.80.37.139 - - [11/08/2010:01:18:27 -0000] "GET / HTTP/1.1" 401 0 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    210.22.128.206 - - [11/08/2010:01:18:27 -0000] "GET / HTTP/1.1" 401 0 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    193.44.174.20 - - [11/08/2010:01:18:27 -0000] "GET / HTTP/1.1" 401 0 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    68.68.107.64 - - [11/08/2010:01:18:27 -0000] "GET / HTTP/1.1" 401 0 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    212.231.211.245 - - [11/08/2010:01:18:27 -0000] "GET / HTTP/1.1" 401 0 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    189.19.13.234 - - [11/08/2010:01:18:27 -0000] "GET / HTTP/1.1" 401 0 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    211.142.22.8 - - [11/08/2010:01:18:27 -0000] "GET / HTTP/1.0" 401 0 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    119.96.183.36 - - [11/08/2010:01:18:27 -0000] "GET / HTTP/1.1" 401 0 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    You can see IPs are from different ranges, spoofed probably
    the only thing similar with requests is User-Agent

    Since there are more than 5k IPs its impossible to deny them using iptables
    Unfortunately there is no way to deny User-Agents or IPs using access list or something like htaccess
    It would be greatly appreciated to implement feature to filter requests by agent, referrer and IP add

    For now i'm looking for a temporary solution
    Any suggestion is welcome

    Regards
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,481
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Contact your server provider, they can help more here at this point than anything else, IMHO.
     
  3. MoOZ125

    MoOZ125 Registered

    Joined:
    Nov 8, 2010
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Thanks for your suggestion
    Unfortunately they don't offer any DDoS protection services

    Besides these requests could be easily blocked by User-Agent filtering
     
  4. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,481
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
  5. JamesCartelo

    JamesCartelo Registered

    Joined:
    Nov 9, 2010
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Hi,

    I suggest you to install CSF on your server .
    ConfigServer Security & Firewall

    After installation ,
    Go to ConfigServer Security&Firewall in WHM , Set you Firewall Security Level to Medium . Then
    Change SYNFLOOD = 0 to SYNFLOOD = 1 in # ConfigServer Security&Firewall>> Firewall Configuration .

    Restart CSF Using Whm.

    Another way is to using APF + DDOS-Defalte
    (D)DoS Deflate - deflate.medialayer.com

    My suggestion is CSF.:)

    Regards,
     
  6. privilegeserver

    privilegeserver Registered

    Joined:
    Nov 14, 2010
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    CSF also control Ddos attack as well.
     
  7. sOliver

    sOliver Active Member

    Joined:
    Oct 25, 2010
    Messages:
    32
    Likes Received:
    0
    Trophy Points:
    6
    Install mod_limitipcon
    Install mod_ddosdeflate
    Install mod_geoip and ban all countries like CN, VN, IR, PK ..
    Install CSF and set connection limit to 300
    Set Apache Timeout to 5
    Disable KeepAlive
    Optimize SQL and add Query Cache
    Disable services
    Remove all plugins that you don't need (if you run a CMS like Drupal, WP, ..)
    Find out what files they are downloading. Put htaccess in it and disallow blank referrer.

    I hope this helps...
     
  8. syslint

    syslint Well-Known Member

    Joined:
    Oct 9, 2006
    Messages:
    249
    Likes Received:
    6
    Trophy Points:
    18
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Twitter:
    He have ddos on port 2082 and not on port 80. So the above won't help him.
     
  9. sOliver

    sOliver Active Member

    Joined:
    Oct 25, 2010
    Messages:
    32
    Likes Received:
    0
    Trophy Points:
    6
    CSF will help to protect port 2082. Other than that you need a hardware firewall
     
  10. GaryT

    GaryT Well-Known Member

    Joined:
    May 19, 2010
    Messages:
    321
    Likes Received:
    3
    Trophy Points:
    16
    No software can stop big spoofed DdoS attacks, Only minor ones.

    For full protection you need a hardware IP filter.

    see when the attack takes place it still goes to the machine... Now with a hardware filter it goes through the network [ Gets Filtered ] Then sends the good and clean connections to the box.

    Now same goes with CSF and Dos_Delfate and such, See you can set a reasonable connection limit to 400, But then the person who is doing the attacks can go lower and lower to bypass the software and still hurt the machine, Now if you set it to low you will probably lose good connections on TIME_WAIT and such.

    Now another thing, If you ban countries like all above what was suggestion you could easily fill the IPtables up and crash them, Or put abit more load on the server.

    I would suggest just do the common countries, I go by what LFD reports and 99.9% Its China so I just add CN to the deny file.
     
Loading...

Share This Page